Re: [nf-next PATCH v7 12/13] netfilter: nf_tables: Add notifications for hook changes

Phil Sutter <phil@xxxxxx> · Thu, 22 May 2025 17:34:47 +0200

On Thu, May 22, 2025 at 05:26:49PM +0200, Pablo Neira Ayuso wrote:
> On Wed, May 21, 2025 at 10:44:33PM +0200, Phil Sutter wrote:
> > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> > index a7240736f98e..268bc00fe2ec 100644
> > --- a/net/netfilter/nf_tables_api.c
> > +++ b/net/netfilter/nf_tables_api.c
> > @@ -9686,6 +9686,64 @@ struct nf_hook_ops *nft_hook_find_ops_rcu(const struct nft_hook *hook,
> >  }
> >  EXPORT_SYMBOL_GPL(nft_hook_find_ops_rcu);
> >  
> > +static void
> > +nf_tables_device_notify(const struct nft_table *table, int attr,
> > +			const char *name, const struct nft_hook *hook,
> > +			const struct net_device *dev, int event)
> > +{
> > +	struct net *net = dev_net(dev);
> > +	struct nlmsghdr *nlh;
> > +	struct sk_buff *skb;
> > +	u16 flags = 0;
> > +
> > +	if (!nfnetlink_has_listeners(net, NFNLGRP_NFT_DEV))
> > +		return;
> > +
> > +	skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
> > +	if (!skb)
> > +		goto err;
> > +
> > +	event = event == NETDEV_REGISTER ? NFT_MSG_NEWDEV : NFT_MSG_DELDEV;
> > +	event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
> > +	nlh = nfnl_msg_put(skb, 0, 0, event, flags, table->family,
> > +			   NFNETLINK_V0, nft_base_seq(net));
> > +	if (!nlh)
> > +		goto err;
> > +
> > +	if (nla_put_string(skb, NFTA_DEVICE_TABLE, table->name) ||
> > +	    nla_put_string(skb, attr, name) ||
> > +	    nla_put(skb, NFTA_DEVICE_SPEC, hook->ifnamelen, hook->ifname) ||
> > +	    nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
> > +		goto err;
> > +
> > +	nlmsg_end(skb, nlh);
> > +	nfnetlink_send(skb, net, 0, NFNLGRP_NFTABLES,
>                                     ^..............^
>                                     NFNLGRP_NFT_DEV))

Oops! I tested this with both groups enabled in nftables. :(

> > +		       nlmsg_report(nlh), GFP_KERNEL);
> > +	return;
> > +err:
> > +	if (skb)
> > +		kfree_skb(skb);
> > +	nfnetlink_set_err(net, 0, NFNLGRP_NFTABLES, -ENOBUFS);
                                  ^^^^^^^^^^^^^^^^

Here's one more. Should I respin or will you fold these after applying?

Thanks, Phil